CVE-2026-23831 – This CVE describes a nil pointer dereference vu... (How to Fix)

Q: What is the severity of CVE-2026-23831?

CVE-2026-23831 has a CVSS score of 5.3 (MEDIUM). This CVE describes a nil pointer dereference vulnerability in Rekor's entry implementation that can cause a panic when processing attacker-controlled input with empty spec.message. The vulnerability affects Rekor versions 1.4.3 and below, allowing attackers to trigger 500 errors through malformed COSE entries. While service availability impact is minimal due to thread recovery, it could be used for denial-of-service attacks.

📋 TL;DR

This CVE describes a nil pointer dereference vulnerability in Rekor's entry implementation that can cause a panic when processing attacker-controlled input with empty spec.message. The vulnerability affects Rekor versions 1.4.3 and below, allowing attackers to trigger 500 errors through malformed COSE entries. While service availability impact is minimal due to thread recovery, it could be used for denial-of-service attacks.

💻 Affected Systems

Products:

sigstore/rekor

Versions: Versions 1.4.3 and below

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments running vulnerable versions regardless of configuration.

📦 What is this software?

Rekor by Linuxfoundation

View all CVEs affecting Rekor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained exploitation could cause repeated thread panics leading to degraded performance or temporary service disruption in Rekor instances.

🟠

Likely Case

Attackers can trigger 500 error responses by sending malformed COSE entries, potentially causing minor service degradation.

🟢

If Mitigated

With proper monitoring and rate limiting, impact is limited to occasional 500 errors with no data compromise.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malformed COSE entries but is straightforward once the format is understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.0

Vendor Advisory: https://github.com/sigstore/rekor/security/advisories/GHSA-273p-m2cw-6833

Restart Required: Yes

Instructions:

1. Stop Rekor service. 2. Update to version 1.5.0 using package manager or manual installation. 3. Restart Rekor service. 4. Verify version with 'rekor-cli version' or equivalent.

🔧 Temporary Workarounds

Input validation at proxy layer

all

Implement WAF or reverse proxy rules to reject COSE entries with empty message fields

🧯 If You Can't Patch

Implement rate limiting to prevent DoS attacks
Monitor for 500 error spikes and block offending IPs

🔍 How to Verify

Check if Vulnerable:

Check Rekor version - if running 1.4.3 or below, system is vulnerable

Check Version:

rekor-cli version | grep Version

Verify Fix Applied:

Verify version is 1.5.0 or higher and test with malformed COSE entries to ensure no panic occurs

📡 Detection & Monitoring

Log Indicators:

Panic stack traces in logs
Increased 500 HTTP status codes
Recovered goroutine panics

Network Indicators:

HTTP 500 responses to COSE entry submissions
Unusual patterns of COSE entry submissions

SIEM Query:

http.status_code:500 AND path:"/api/v1/log/entries"

📊 Metadata

CVE ID: CVE-2026-23831

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-476

EPSS Score: 0.04% exploit probability (13.2th percentile)

Published: January 22, 2026

Last Updated: February 2, 2026

🔗 References

https://github.com/sigstore/rekor/commit/39bae3d192bce48ef4ef2cbd1788fb5770fee8cd Patch
https://github.com/sigstore/rekor/releases/tag/v1.5.0 Product,Release Notes
https://github.com/sigstore/rekor/security/advisories/GHSA-273p-m2cw-6833 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23831, you might also want to check these: